The Role of Internal Audit in Fighting Fraud The EU perspective Robert GIELISSE, CIA, CGAP Principal Advisor in Charge of PIC/PIFC DG Budget – PA.02

Your presenter Robert GIELISSE – Dutch National  CIA, CGAP  Principal Adviser, Head of EC PIC/PIFC Task Force  Chairperson of EU28 PIC Network and Working Group  In EC since 1983, various managerial positions since 1993  Dutch Tax Administration 1978 – 1983  University degrees in Economy and Law 2

Assumptions  Reference for Internal Control: COSO framework/INTOSAI guidelines  Reference for Internal Audit: IPPF by IIA  IC/IA are executed at entity level (IA may be centralised or decentralised)  Inspection (where present) at central level as ex-post (non-proactive) activity 3

Definition of Internal Control Internal Control (COSO definition) A process, effected by an entity’s Board of Directors, management and other staff, designed to provide reasonable assurance regarding the achievements of objectives in the following categories:  efficiency and effectiveness of operations – Accomplish Mission;  reliability of (financial and other) reporting – Accurate data for Decision Making  compliance with laws and regulations  safeguarding of assets 4

Internal Control, the essence Internal Control In essence … it’s about  Process  People  Reasonable Assurance  Clear objectives 5

Definition of Internal Audit (IPPF by IIA) Internal Audit (IPPF) Internal audit is an independent and objective assurance and consulting activity designed to add value and improve the organisation’s operations. It helps the organisation in achieving its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of the risk management, control and governance processes 6

Internal Audit, the essence Internal Audit (assurance services) In essence – it’s about  Adding value: meaning that it intends to improve operations  Reasonable (not absolute) assurance that:  Risk management -, control - and governance processes operate as intended 7

IPPF International Professional practice Framework (IPPF) 1. Definition of Internal Auditing - Mandatory 2. Code of Ethics - Mandatory 3. The Standards (Attribute and Performance) - Mandatory 4. Practice Advisories - Advisory 5. Practice Guides - Advisory 6. Position Papers - Advisory 7. Glossary 8

Definition of Fraud - 1 Fraud: The 2008 definition by IIA, AICPA and ACFE "Any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and /or the perpetrator achieving a gain" 9

Definition of Fraud - 2 Fraud  can be harmful to the organisation  can be harmful to the organisation (public and private sector)  can be beneficial to the organisation (mostly private sector) Fraud  to the benefit of one or more individuals  to the benefit of one or more individuals (public and private sector)  to the benefit of the organisation (mostly private sector) Focus is on the fraud that is harmful to the organisation and to the benefit of one or more individuals 10

Examples of fraud in the public sector  Procurement  Bribery and corruption  Recruitment  Data and IP theft  Scam  Payroll and expense management 11

Fight against Fraud: the main Actors  The Fraudster  Management  Internal Audit  Inspection  External Audit 12

The Fraudster - Profile His/her profile Anyone is in the position to commit fraud but Key Profile (PWC 2014 – Private sector):  Male  31 – 40 years  6+ years of service  Graduate level 13

The Fraudster: the fraud triangle Preconditions to fraud: 1) How? Opportunity 2) Why? Motive 3) Why not? Rationalisation 14

Management and Fraud Management's role in fighting fraud: Preventive, Detective and Responsive Management's key responsibility is to ensure proper Internal Control  Governance structures to include Fraud risk:  Outspoken Anti-Fraud Strategy and policies  Ethical environment that sets the right tone (incl. 'Tone at the Top')  Fraud risk to be included in risk Assessment  Design effective preventive and detective controls  Consistent and open response to fraud incidents  Report on Fraud 15

Internal Audit and Fraud 1)One of Internal audit’s main objectives is to give reasonable assurance that the internal control system operates as intended. 2)This includes that the IC system should be sufficiently ‘fraud’ proof and Internal Audit seeks to test the IC system robustness to most likely types of fraud: whether controls are in place to prevent and detect fraud occurrence and whether these controls are effective 3)Internal Auditor must have sufficient knowledge to identify fraud indicators, but they are not expected to have the expertise of persons whose primary responsibility is detecting and investigating fraud 4)If Internal Audit provides reasonable assurance about the quality of the IC system, this does not mean that fraud has not occurred or will not occur (‘Audit Gap’) 5)Internal Auditor is not expected to detect, or to investigate fraud! 16

Internal Auditor's role – 1 Applicable IPPF Standards IPPF – International Standards for Internal Audit relating to Fraud  1210.A2 Knowledge (sufficient knowledge to evaluate the risk of fraud)  1220.A1 - Due Professional Care (consider probability of fraud)  Reporting to Senior Management and the Board (reporting including fraud risks)  2110.A1 Ethics programmes (evaluate organisation’s ethics-related objectives, programs )  2120.A2 Fraud Risk Examination (evaluate the potential for fraud occurrence and fraud risk management)  2210.A2 Significant Fraud (consider the probability of significant … fraud when developing engagement objectives) 17

Internal Auditor’s role – 2 Internal Auditors responsibilities relating to fraud  Objective assessment on organisation's framework of governance, risk management and internal control  Apply due professional care and professional scepticism  Preventing and detecting fraud and corruption is not a primary role of internal audit  Internal auditors are not expected to act as professional investigators 18

Internal Auditor’s role – 3 During the internal audit engagement Internal Auditor must:  Consider fraud risk in the design of audit activity  Consider fraud risk in the assessment of the IC system  Document the consideration of fraud risk  Identify Major Fraud risks and consider effectiveness of mitigating controls  Be alert to control deficiencies; if they are identified, what happened?  Verify whether Management is actively endorsing the Fraud risk program,  Addresses control deficiencies, ensures monitoring and pursues cases of reported fraud  Communicate with Senior management and ‘The Board’ in case of significant fraud  Recommend investigation when appropriate, do not investigate further 19

Evaluating Fraud Risk Assessment Key Steps for Internal Audit 1)Identify relevant fraud risk factors 2)Identify potential fraud schemes and prioritize them based on risk 3)Map existing controls to potential fraud schemes and identify gaps 4)Test effectiveness of controls 5)Document and report the fraud risk assessment 20

Fraud Indicators 1: Red Flags Red flag Red flag - a warning signal or a hint of something that needs extra attention to exclude or confirm potential fraud. Person related red flags  Lavish life style mismatching level of income  Sudden increase in wealth (luxury cars, villas, jewellery)  Reluctance to take any holidays  Refusal to change position, responsibilities, file  Employee's personality change, mood swings, change in behaviour 21

Fraud Indicators 2: Red Flags Organisation related red flags  Ineffective internal controls  Poor ethical climate  No ‘tone at the top’  Deficient recruitment procedures  High or very low personnel turnovers for sensitive functions 22

Internal Auditor’s role in Investigating Fraud  Internal audit function is not to prevent or detect or investigate fraud  Internal audit should be alert on the possibility of fraud in conducting the engagement: i.e. be attentive to 'red flags'  If fraud is discovered internal auditor should alert management and/or specialised services Exceptions  Special fraud engagement (should be in the Charter)  Forensic auditing (to collect evidence of fraud that stands in Court)  Internal auditor may be asked to assist fraud investigators (but should have sufficient knowledge) 23

Financial Inspection and fraud Key role of Financial Inspection in fraud cases (compatible with COSO) Centralised specialised function (Police function) ("Inspection Générale des Finances") of specialized anti- fraud squads/police  Based on allegation or suspicion  Detect, investigate  Focus on wrongdoing  Corrective action 24

Financial Inspection: pro-active or re-active 2 modalities traditional proactive COSO compatible reactive 25

Traditional role of Inspection (in the absence of decentralised Internal control/internal audit)  Proactive approach exercised by regular checks, work plan based  Financial control of individual operations  Ex-ante control to prevent non-compliance with regulations, irregularities or fraud  Ex-post control to correct non-compliance  Reporting to the Minister of Finance and the Prosecutor 26

Role of Inspection compatible with decentralised Internal control (COSO)  COSO compliant - reactive approach – ex-post control on a case by case basis  Inspection triggered by suspicion of fraud, (documented) allegation, whistleblowing, audit reports (internal and external)  Inspection aiming to investigate irregularities and fraud; impose sanctions, penalties where relevant  'Police' function 27

Role of External Audit  Financial and performance auditing (INTOSAI compliant)  Assess the functioning of IC system in the public sector and inform management (INTOSAI GOV 9100)  Consider fraud risk when planning and performing audit  Focus is not on fraud detection or investigation but IC oversight; unless absence of IC in the public sector  Reports to the Parliament  Has financial and functional independence from the executive Conclusionexternal audit is comparable with internal audit in relation to fraud Conclusion: external audit is comparable with internal audit in relation to fraud 28

Internal Audit versus Inspection: a bird's eye view Differences between Internal Audit and Inspection Internal audit Inspection TriggerBased on riskBased on allegations, suspicion ObjectiveReasonable assurance on governance, risk management, control Focus on wrongdoing and it's correction ScopeBroad management issues Legal Type relationCordial (critical friend)Adversarial, interrogative AssumptionProbably proprietyPossible impropriety DriverAdding valueCorrective action EnvironmentPart of Internal ControlExternal to the entity 29

Conclusions 1 Fraudster: Opportunity, Motive and Rationalization Management:  Ensures ethical environment and leads by example  Assesses risk for fraud – designs preventive and detective controls  Takes action in case fraud is revealed 30

Conclusions 2 Internal Audit:  Assesses whether controls work  Looking for red flags  Report on cases of presumed fraud Inspection:  Examines cases of suspected fraud  Seeks to repair the financial damage  Ensures that fraudster is reported for prosecution External audit  Role compatible with internal audit 31

Conclusions 3 Concerning fraud, please remember: start small  Most frauds start small  Segregation of duties cash  Segregation of duties is crucial for cash sensitive business same controls for all  Seniority, reputation or trust cannot warrant lose or absence of internal controls: same controls for all  Trustdenominator  Trust is a common denominator underlying many frauds 32

Sources 1)IPPF – Practical Guide: Internal Auditing and Fraud – December 2009 by IIA 2)CIA-Part2, Topic 2, Conducting the Internal Audit Engagement – Awareness of the Potential Fraud, 2010, IIA 3)Auditing Fraud – How to do it right: A Practical Guide. Presentation by Martin Robinson at the IIA Global conference, London June )Donald McConnell Jr/Fanghry Josan, Internal Audit Magazine, August

Thank you! Question time 34